forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
os.yml
93 lines (84 loc) · 2.76 KB
/
os.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: os
title: Operating System
group: 2
short: OS fields contain information about the operating system.
description: >
The OS fields contain information about the operating system.
reusable:
top_level: false
expected:
- observer
- host
- user_agent
type: group
fields:
- name: type
level: extended
type: keyword
short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
description: >
Use the `os.type` field to categorize the operating system into one of
the broad commercial families.
One of these following values should be used (lowercase): linux, macos, unix, windows.
If the OS you're dealing with is not in the list, the field should not be populated.
Please let us know by opening an issue with ECS, to propose its addition.
example: macos
- name: platform
level: extended
type: keyword
description: >
Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: name
level: extended
type: keyword
example: "Mac OS X"
description: >
Operating system name, without the version.
multi_fields:
- type: match_only_text
name: text
- name: full
level: extended
type: keyword
example: "Mac OS Mojave"
description: >
Operating system name, including the version or code name.
multi_fields:
- type: match_only_text
name: text
- name: family
level: extended
type: keyword
example: "debian"
description: >
OS family (such as redhat, debian, freebsd, windows).
- name: version
level: extended
type: keyword
example: "10.14.1"
description: >
Operating system version as a raw string.
- name: kernel
level: extended
type: keyword
example: "4.4.0-112-generic"
description: >
Operating system kernel version as a raw string.